Configure PPTP VPN Using Edge Routers

PPTP VPN on Ubuquiti EdgeRouter

This set of instructions will result in a PPTP server using local authentication on an Ubiquiti EdgeRouter. This assumes that you already have a basic working configuration already with a dynamic or static ip address assigned on the WAN interface and that there are some free IP addresses on the local network to assign to VPN clients.

CLI setup

In order to make configuration changes, first SSH into the router (or login to the CLI through the GUI) and type

configure

at the terminal.

Authentication Mode

Local Authentication

set vpn pptp remote-access authentication mode local

For each user account that you’d like to be able to log in, use the following command to specify the username (thomas in this example) and password (thomas! in this example) for each.

Pool Address

To specify the range of IP addresses for the VPN server to assign to clients

set vpn pptp remote-access client-ip-pool start 192.168.1.100

set vpn pptp remote-access client-ip-pool stop 192.168.1.150

Name Server

Specify the DNS servers for clients to use as follows; 8.8.8.8 and 8.8.4.4 are the public DNS servers for Google. I tried setting the DNS server to the router’s IP address, but that didn’t work on its own (though it might with additional configuration changes).

set vpn pptp remote-access dns-servers server-1 8.8.8.8

set vpn pptp remote-access dns-servers server-2 8.8.4.4

Remote IP Address (Static IP) or DHCP

Specify the remote IP given by your provider. Replace x.x.x.x with your static ip or use the second command if you are receiving ip via DHCP. Replace eth0 with WAN interface

set vpn pptp remote-access outside-address x.x.x.x

set vpn pptp remote-access dhcp-interface eth0

Commit, review, and save

Commit configuration changes using

commit

To review the PPTP remote access configuration

show vpn pptp remote-access

Finally, save the changes using

save

And typing

exit

will exit out of configure mode

Firewall Setup

The following changes should be made in the WAN_LOCAL rule set (or whatever the rule that controls access to the router is called). They should be added before the invalid packets are dropped in the rule set.

PPTP: TCP port 1723

Navigate to Firewall/NAT > Firewall Policies

Click on Actions > Edit Ruleset next to the WAN_LOCAL ruleset

Click Add New Rule

Configure the new rule as shown

Click Save

GRE: protocol 47

Below the new rule and still above the rule to drop invalid packets, add another rule by clicking on Add New Rule

Configure the rule as shown

Click Save

Ensure the rules look similar to what’s shown below, clicking and dragging them as necessary. After changing the order (if needed), click on Save Rule Order.